Browse Prior Art Database

Method and System for Mobile Hybrid Application Single Sign-on using Delegated Credentials

IP.com Disclosure Number: IPCOM000225996D
Publication Date: 2013-Mar-20
Document File: 3 page(s) / 57K

Publishing Venue

The IP.com Prior Art Database

Abstract

This disclosure describes specific techniques to use a single set of security credentials stored on a mobile device to simultaneously authenticate web and native portions of a hybrib mobile application. At no time does the user need to enter their actual authentication credentials with a security service on the mobile device.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 47% of the total text.

Page 01 of 3

Method and System for Mobile Hybrid Application Single Sign-on using Delegated Credentials

This disclosure describes specific techniques to use a single set of security credentials stored on a mobile device to simultaneously (i.e. perform single sign-on):

establish an authenticated, scoped browser session for browser portions of a hybrid application and


perform secure authorised stateless API calls from native portions of the same hybrid application

At no time does the user need to enter their actual authentication credentials with a security service on the mobile device.

With growing number of mobile applications, there is a need to support multiple phone platforms, deploy to the phone's market place, provide a rich native experience and access the native device features like user's contact list, camera, etc.

A hybrid mobile application provides the ability to develop in a cross platform manner using web technologies (HTML, CSS, and Javascript) while still getting

access to the phone's underlying features and being able to deploy to the various app marketplaces. This is accomplished by wrapping the web application in
a native embedded web browser. This technique is becoming an even stronger option with the advent of good front end frameworks like jQuery Mobile and the more iPhone-focused jQTouch that will make web and hybrid apps feel more natural on a device.

Hybrid mobile applications seen to date typically require the user to authenticate in the browser portion of the application. Some may also use credentials stored on the device to perform REST API calls from browser/javascript using AJAX, but stop short of using those credentials with a Web Access Management system to establish a true browser session with the same authorised entitlements for the browser portion of the application. This means that the native portions of the application use a different set of credentials to the browser portion of the application.

A specific example of existing prior art is on an Android device where this problem is solved by providing a setHttpAuthUsernamePassword() method as part of the webview object to respond to a 401 responses from web sites. This approach obviously requires a username and password in the device and lacks scoped browser session access across both web and native aspects of an application.

The core idea of this disclosure is to use mobile-stored credentials such as an OAuth access token to establish a browser session for browser portions of a hybrid mobile application and to also use those same credentials in stateless API calls made from the native portion of the same application.

The advantage of this approach is that the scope of access (i.e. authorised access privileges) are identical and consistent at the server for both browser-based requests and native-based requests from the application, permitting consist policy authoring and enforcement for browser flows (both HTML and AJAX/REST) and web API calls made from the n...